CVE-2023-20957: 
NixOS vulnerability analysis and mitigation

CVE-2023-20957 is a security vulnerability discovered in Android's SettingsPreferenceFragment.java component, specifically in the onAttach functionality. The vulnerability affects Android versions 11, 12, 12L, and was disclosed in the March 2023 security bulletin. This vulnerability allows for a potential bypass of Factory Reset Protections through a confused deputy attack vector (Android Bulletin).

The vulnerability exists in the onAttach method of SettingsPreferenceFragment.java and could lead to local escalation of privilege with no additional execution privileges needed. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, has low attack complexity, requires low privileges, needs no user interaction, and can impact confidentiality, integrity, and availability at a high level (NVD).

The successful exploitation of this vulnerability could result in a bypass of Factory Reset Protections and local privilege escalation. This could potentially allow an attacker to gain elevated access to the device's resources and functionality without requiring additional execution privileges (Android Bulletin).

Google has addressed this vulnerability in the March 2023 Android Security Bulletin. Users should update their Android devices to a security patch level of 2023-03-01 or later to protect against this vulnerability (Android Bulletin).